Hello, I have a monthly report that produce a table like this Violation list Employee month A 8-2022 B 8-2022   I want to add a counter to count for consecutive occurrences. For example: In September report (9-2022) - employee A violated, his counter increase to 2 - employee B don't violate, don;t show up in report - employee C violated, first time show up on report, his counter is 1 In October report (10-2022) - employee A violated again, his counter increase to 3 - employee B violated again, but don't show up on September report, his counter reset to 1. - employee C violated again, his counter increase to 2 I want the end table to look like this Employee month Counter A 10-2022 3 B 10-2022 1 C 10-2022 2 Since the report was a outputlookup csv, I don't think I can use streamstat, Can anyone suggest a way to do this.

I have a Bash script on our deployment server. The directory tree and the inputs.conf file: bin bash_script.sh local inputs.conf app.conf The inputs.conf file: [script://./bin/bash_script.sh] interval = -1 I restart the deployment server. I then check one of the servers I have this app deployed to: index="_internal" bash-script sourcetype=splunkd host="specific-hostname" message from "/opt/splunkforwarder/etc/apps/bash_script/bin/bash_script.sh" /bin/sh: 1: /opt/splunkforwarder/etc/apps/bash_script/bin/bash_script.sh: Permission denied That path and file does exist on the destination server. What am I missing?

I am trying to add a percentage to the total row generated by addcoltotals. I would like to show the total percentage of successes for a search using top. addcoltotals seems to only perform a sum and doesn't calculate total percentage properly, so leaving "%" off the percentage values would result in it becoming 120 in the final cell. Currently generated table: user Total Successful Total Failed Total Calls Success Percentage Maynard 2 3 5 40.00% Keenan 8 2 10 80.00% TOTALS 10 5 15   Ideally the currently empty cell would display 66.67%. Query:   search string | top 0 countfield=Count percentfield=Percent status by user | eventstats sum(eval(if(match(status, "2\d{2}"), Count, 0))) as success by user | eventstats sum(eval(if(match(status,"[45]\d{2}"), Count, 0))) as fail by user | eventstats sum(Count) as total by user | eval percent_success = round((success)/(total)*100, 2)."%" | stats values(success) as "Total Successful" values(fail) as "Total Failed" values(Total) as "Total Calls" values(percent_success) as Success Percentage by user | addcoltotals labelfield=user label=TOTALS   The ."%" prevents the addcoltotals from summing the values, leaving the bottom right cell blank.   Is there a way to override the sum functionality of addcoltotals? Or is there a way to manually add a row to a table generated by stats where I can just calculate the values manually? Would it be possible to overwrite just the empty cell with a percentage calculation I do myself?  

I have this query that gets current CURRENT_OUT counts by DISTRICT index=<my index> sourcetype=oracle:query source=<source> | fields DISTRICT, OUT_CUSTS | where _time>relative_time(now(),"-5m") | stats sum(OUT_CUSTS) as CURRENT_OUT by DISTRICT | table DISTRICT, CURRENT_OUT | sort by DISTRICT This works to get current counts because the db source is updated every 5 minutes in splunk DB connect.  I get a nice table of CURRENT_OUT by DISTRICT. Is is possible to expand this to add a peak value for CURRENT_OUT over, say, the last 24 hours, while still including the current CURRENT_OUT value in the table as well?  I'm looking at the bin command but I can't put it together.  Once I expand my timeframe for my query, I'm bringing back way too much data an overinflating the current CURRENT_OUT  values for each DISTRICT.  Thanks  

I created a column chart and I want to add a line on the y-axis as the upper limit that increases by 300 every 6 hours (pink line in image attached). How would I do this? -->Is there an option display line I can add in dashboard under my chart code?  

We are using 8.2.3 with SHC and multisite indexer clustering. We have some mismatch on key business data and we need to delete and reload some data from the summary index only for a few days. The below search returns data which is wrong and to be deleted. Search:  index=INDEXNAME sourcetype=stash source=SOURCENAME datasource="DATASOURCENAME" host=HOSTNAME But when I add "| delete" for the search above.  It deletes 0 events and no error. This worked a few months ago but not today so I reckon there's no config issues, like capability and deleteIndexesAllowed has been configured for the index already.

Some KOs are not found on the GUI > Settings > Searches, Reports and alerts > "search" with its name. The version  we currently operate is 8.2.1 and SH Clustered. This happens quite frequently for mostly the alerts we make changes to the search strings.

I have created a multiselect input using a dynamic list:       <input type="multiselect" token="my_id" searchWhenChanged="true"> <label>My ID</label> <fieldForLabel>my_id</fieldForLabel> <fieldForValue>my_id</fieldForValue> <search> <progress> <condition match="'job.resultCount'==1"> <set token="form.my_id">$result.my_id$</set> <set token="my_id">$result.my_id$</set> </condition> </progress> <query>| tstats values(my_id) as my_id where index=my_index sourcetype IN (my_sourcetype) | mvexpand my_id | table my_id | dedup my_id</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input>           I also have a Pie Chart:       <row> <panel> <title>Total Vulnerabilities by My ID</title> <chart> <search base="base_search"> <query>| stats count by my_id</query> </search> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.chart">pie</option> <option name="charting.chart.nullValueMode">zero</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="charting.legend.placement">right</option> <option name="link.exportResults.visible">$exportResults$</option> <option name="link.inspectSearch.visible">$inspectSearch$</option> <option name="link.openPivot.visible">$openPivot$</option> <option name="link.openSearch.visible">$openSearch$</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="form.my_id">$click.value$</set> </drilldown> </chart> </panel>       I would like to HIDE the panel (not the row) in the event only value is selected from the multiselect.  I would like to SHOW the panel (not the row) in the event more than one value is selected from the multiselect. Is this possible?  I have seen this accomplished for static lists, but I am unable to use a static list in this instance.  Thank you.

We have alert events coming into Splunk & Splunk ITSI that we open Service Now incidents for, but depending on the event contents the incident will need to be routed to different teams. An example scenario is, if the alert comes from server A then set the Service Now assignment group to team A, alerts from all other servers should go to team B. We will have many of these scenarios in our environment, what is the best way to do this?   Thanks in advance!

I am probably overengineering this but this is the only way I could get a script to execute on UF, via a deployed application's bin folder I have a .path file which executes powershell.exe -command "& 'path_to_ps1_script'" and it's placed, as stated, in myapp\bin\scripts folder The PS1 script, returns a valid JSON. The app's inputs.conf stanza: [script://$SPLUNK_HOME\etc\apps\<my app>\bin\scripts\myscript.path] disabled=false interval=60 sourcetype=my_source_type source=my_source send_index_as_argument_for_path=false index=my_index As soon as I put index=my_index in my stanza, the data is not being indexed for some reason. If I remove the index, the data is indexed into the default "main" index, however i'm looking for a solution to send that data to an index I specify   Any suggestions ?  

Greetings. Is it possible merge 2 search? If there is any common value than connect it. If there is no match keep the events with null()'s I have tired with join function, but the join function are drop those events where there is no match.